Hardware Assurance and its importance to National Security – We chose an American military chip that is highly secure with sophisticated encryption standard, manufactured in China. Our aim was to perform advanced code breaking and to see if there were any unexpected features on the chip. We scanned the silicon chip in an affordable time and found a previously unknown backdoor inserted by the manufacturer. This backdoor has a key, which we were able to extract. If you use this key you can disable the chip or reprogram it at will, even if locked by the user with their own key. This particular chip is prevalent in many systems from weapons, nuclear power plants to public transport. In other words, this backdoor access could be turned into an advanced Stuxnet weapon to attack potentially millions of systems.

NSA Announces New Program to Prime College Students for Careers in Cyber Ops – Many of the nation's colleges and universities offer courses or promote projects in cybersecurity. NSA's new program differs in that it integrates the relevant academic disciplines, with a focus on technology and the techniques associated with specialized cyber operations – collection, exploitation, and response, for example. Each new center is also required to include an academic unit about the legal and ethical issues in this area.

Equipment Maker Caught Installing Backdoor Vows to Fix Following Public Pressure – After ignoring a serious security vulnerability in its product for at least a year, a Canadian company that makes equipment and software for critical industrial control systems announced quietly on Friday that it would eliminate a backdoor login account in its flagship operating system, following public disclosure and pressure.

All hail the new spam king: India – None of this means India has suddenly become a nation of spammers — just that the amount of email spam sent from computers in India now seems to exceed the amount sent my computers in the United States and other countries.

DoD sorting out cyber warfare policy – Fort Leavenworth, KS – The Fort Leavenworth Lamp – Senior Pentagon officials are working to determine how the centuries-old Law of Armed Conflict applies to potential conduct of operations in the newest military domain of the Internet, the deputy assistant secretary for cyber policy said April 11. “Because it’s a new domain and people in the department and senior military officers tend to use a military-type language when talking about (the cyber domain), it often looks like we’re more aggressive in cyberspace than we, in fact, are,” Rosenbach said. “ … We don’t want to establish unhelpful norms (and) we don’t want to use force in cyberspace unless we absolutely have to,” he added. “So we’re working to protect the nation but in a way that’s not overly aggressive and (doesn’t do) anything that Americans wouldn’t be proud of.”

Another week and it seems it is time for another “cyber security policy” from a GoI body. This time it seems to be the National Security Council Secretariat (NCSC), which has reportedly

come up with a comprehensive cyber security policy for upgrading the security of systems and preventing them from being hacked, attacked with malware, or intruded upon by hostile entities.

Details are sketchy, which is not a surprise. Only Hindustan Times is reporting the story and what they say is

the plan has three components that demarcate task and authority. The existing Indian Computer Emergency Response Team (CERT-IN) will be tasked to handle the commercial aspects of cyber security, including 24×7 proactive responses to hackers, cyber-attacks, intrusions and restoration of affected systems.

The second aspect of the cyber plan is the creation of a technical-professional body that certifies the security of a network to ensure the overall health of government systems. While NSCS is advocating that initially the certification of networks could be done by private agencies, the long term plan is to create a technical body of professionals, all under 40, who will form the backbone of Indian cyber security.

The third aspect of the plan is cyber defence of critical infrastructure networks that are vulnerable to hostile foreign governments or proxy entities.

This seems eerily similar to the Ministry of Information’s “National Cyber Security Policy” Discussion Draft (pdf) that was issued around this time last year. We at Takshashila had responded (pdf) to that earlier invitation for comments and from the looks of it the issues raised then still plague this policy too.

(3) Orphan Policy. Cyber security cannot be considered in a silo. Cyber security – the business of safeguarding a country’s networking and technology infrastructure, and electronic information – is a subset of national security and a cyber security policy must be congruent to a national security policy. However, as India does not have a national security policy, the cyber security policy identiﬁed in the draft is effectively a “policy orphan.” As a result, signiﬁcant gaps could exist between this policy document and what different ministries, departments and agencies assume might be India’s national security goals and priorities. While we agree that this is not something that can be remedied at one go, the orphaned nature of the cyber security policy should be recognised and its implication studied and understood.

US Homeland Security Secretary Janet Napolitano’s recent comment that the administration has and will consider the participation of private companies in “proactive” cyber “counterattacks” has received its share of attention:

In discussing the private partnerships she is promoting to combat cyberattacks, Napolitano was asked if instead of just taking defensive measures, the government and companies should be launching proactive counterattacks against foreign-based culprits. “Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” noting someone else had raised the subject with her earlier Monday.

Before analysing this development and the concept in general, it needs to be stated that there seems to be some ambiguity, at least in my mind, about the statement(s) by Napolitano. Napolitano’s use of “proactive” and “counterattack” together, as reported by San Jose Mercury News, seems confusing since “proactive” is a term that is used usually along with the concept of “defense.” In risk management lingo ‘proactive’ denotes the act of taking initiative by acting rather than reacting to threat events, while ‘reactive’ actions respond to past event(s) rather than predicting and acting before these perceived event. Thus “proactive” gels well together with “defense”, which in military literature refers to the art of preventing an attack, to mean the act of defending against an imminent attack by taking action before the act of attack has happened. This flies completely against the concept of counter-attack which is about, duh, countering an attack that has happened, something that automatically classifies the act as being reactive.

My guess is that Ms. Napolitano did mean counter-attack but by “proactive” she was trying to emphasis the fact that the reaction from the US will not be limited to acts of defense but will include counter offensive moves. Either way, I did end up smiling when I read the double negative that Ms. Napolitano used:

“Should there be some aspect that is in a way proactive instead of reactive?” she responded, and then answered her own question with “yes.” She added, “it is not something that we haven’t been thinking about,” (…)

Now that my confusion regarding the use of “proactive counterattack” is out in the open, let us get to the main point of discussion – use of private companies in proactive cyber attacks by nation states. In traditional military engagement, private military companies have long been used to supplement the operational capability of the nation state’s army. In recent years the role has increasingly moved from support of military personnels in areas like security of the military base, protecting the convoy etc., to a more traditional role played by active military personnels as part of an active war operation. The case of Academi (previously Blackwater) is a prime example of such private military companies.

The reasons have been numerous, the cost being the obvious but not the main one, which is to avoid scrutiny, including Congressional oversight in the US, that seems to be reseved for the military personnels of the nation-state. A similar reasoning can be used within the cyberspace as well. Private companies engaged in cyber operations, regardless of its nature (defensive, offensive, counter-attack, proactive), can be set up to evade deep scrutiny and congressional oversight. This gives them the flexibility to be a lot more liberal about the means and mechanisms used without having to worry about repercussions.

The practice also provides a good means to exploit the attribution problem, which has so far been an issue rather than a way out for the US (pdf). By engaging private civilian companies it becomes harder for the subject of the attacks to concretely state that they were indeed targeted by the US. Even if they did, the fact that the attacks cannot be tracked back to hav been originated from the networks of the US military complex gives the US enough excuses to assert that they were not aware of nor authorised such attacks. Such a setup has been used with good results by the Chinese and the Russians.

In the narrower context of counter-attacks, the domain of cyber differs from the rest of the domain of land, sea, air and space in a crucial way in that the conduits/medium that are used for the attacks, the networks consisting of the backbone of routers, cables and other physical and software based systems, are owned by private companies. The four traditional domains differ from cyber domain in that in each of the four cases, the conduit of attack (land, sea, air and space respectively) are usually owned, at least in the extended sense of the word, by the nation states that is attacking or being attacked. This makes it easier for constructing a case for involving private companies since after all they are direct front line causalities in the event of an attack.

Another reason is of course the simple practical fact that the talent pool of experts expands drastically if private companies are also considered as part of the “recruitment” space. Cyber is the only domain in the list of five where the private sector holds a big pie of capable, qualified individuals who can provide service in these operations. Public-private partnerships just makes sense.

The wholesale hiring of “ethical hackers” by NTRO, as reported by news outlets provides a seemingly similar setup in India with the crucial disadvantage that these “hired helps” are still directly associated with NTRO and hence NTRO can and will be held accountable for their actions, negating some of the crucial advantages of using private companies/individuals. What is needed is a deeper and longer term relationship between the government and private companies that makes defending the infrastructures that they both rely on as the central theme and working on means to do that, be it defensive postures or offensive gestures.

There are of course risks involved. Command structure gets blurred when the military structure merges with the private sector and without one, controlling these private parties becomes a risky process that cannot be taken for granted. This has been seen again and again in cases related to Blackwater. What if an unapproved action from the part of the private contractor is judged as an act of war by the other party and leads to a confrontational situation? A similar situation can arise when wrong magnitude of (counter)attack force is applied accidentally or otherwise by these third parties.

All these point to fact that use of private companies in cyber operations is tactically a good move and some would argue, a necessity. However it cannot be done at the drop of a hat since the “rules of engagement” is bound to be fickle in such symbiotic associations.

Imagine a makeshift stall peddling pirated CDs, DVDs and other mediums of music, movies and software. Now imagine a new law that tries to put the stall out of business by disrupting the transport service that takes people to the store, preventing the banks from processing the money that the stall owner tries to deposits and preventing the stall owner from using the stall for any other revenue generating work. Translate this into the online world and you get a rough idea of the scope of the “Stop Online Piracy Act” (SOPA) bill that was introduced in the US House of Representatives and the equivalent “PROTECT IP Act” (PIPA) bill that was introduced in the US Senate in late 2011.

(…)

Head over there and post your comments, or of course, put them down here too.